ICO Consultation on the Direct Marketing Code of Practice 


Feedback from Royal Mail 


Q1 The code will address the changes in data protection legislation and the implications for direct marketing. What changes to the data protection legislation do you 
think we should focus on in the direct marketing code? 


Postal marketing & legitimate interests 

Recital 47 of the GDPR states “the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.” The ICO have 
confirmed in the past that legitimate interests can be a suitable lawful basis for postal marketing and have stated “you won’t need consent for postal marketing”. However, 
this is not well known nor understood in the marketplace. There is a very clear need for the Direct Marketing Code to clarify once and for all that legitimate interest IS an 
acceptable lawful basis for postal marketing and set out ICO’s specific requirements to meet the legitimate interest balancing test for postal marketing. 


This requirement is imperative to Royal Mail Group and our customers for the following reasons. Both Royal Mail and a significant number of its customers have ceased 
acquiring 3 party data for direct mail purposes due to fears about compliance. There is very little data available in the market for rental (if any) which meets the 
GDPR/DPA requirements for named opt-in consent for the organisation which rents the data. List owners can’t know at the time of data collection which organisations will 
want to rent their data in future, so named consent is not a viable option. Therefore, many list owners and aggregators are looking to legitimate interests as an alternative 
lawful basis for third party postal marketing. However, their customers are reluctant to rent/lease this data due to fears their use of this data may not be deemed non- 
compliant. They simply don’t know how to evaluate if it’s lawful to send marketing by mail to third party data. 


Royal Mail would like the ICO to provide clear guidance in two areas: 


1. Tell list owners how to generate data for third party postal marketing in a lawful way. This will lead to: 
e more transparent collection of data 
e more control for data subjects 
e better quality data for organisations who wish to rent it. 


2. Tell organisations who wish to use rented data what they need to do to act compliantly. Royal Mail’s business customers are calling on the ICO to provide guidance 
which tells those renting/leasing data how they can use this data in a compliant manner. For example, do they have a responsibility to conduct due diligence with 
data suppliers and what so they need to check in due diligence? A simple checklist would provide the necessary information to enable organisations to undertake 
their own self-assessment. 


We propose this guidance should include the following content areas: 


e Requirements for provision of fair processing information when notifying data subjects about an organisation’s intention to pass on their personal data for 
marketing by other parties. For example, please confirm that it is acceptable to name specific types of businesses who may send marketing by post, rather than 
specific organisations. It is key to remember the list owners will know the types of organisation but will not know in advance which organisation will want to rent 
the data. 

e Where the list owner is pooling or aggregating personal data this could result in a lack of transparency for data subjects. Can ICO clarify their position as to 
whether it is acceptable to use pooled data sources provided the list owner can demonstrate provenance of the data and evidence adequate fair processing 
information has been provided? 

e Right to object to third party marketing. What are the specific responsibilities of the list owner and their customer (who rents the data for postal marketing)? 

e For the above, is any additional flexibility possible for business to business (B2B) marketing where the privacy risks may be lower? 

e Clarify the situation for the rental/lease of data for telemarketing compiled under legitimate interests 


Royal Mail would be very happy to collaborate with ICO on this, or help by providing relevant examples. 


The so called ‘soft opt-in’ under PECR 
There is a requirement for the ICO to clarify what is meant by ‘similar products and services’ regarding the soft opt-in. The existing examples are a little outdated. It would 


be helpful if ICO could provide examples of businesses which operate with multiple sales touchpoints and brands and therefore offer a wide range of products & services 
online as well as through traditional channels. It would be useful if ICO could provide a framework/matrix to enable decision-making regarding the range of services which 
may / may not be marketed under soft opt-in. It should be noted that changes over time can influence what is “expected” of a company about its product offering, and 
customer expectations of what it sells, and affect what’s “similar”. Should organisations take account of customer expectations of what may be regarded as ‘similar’? If so 
can you give specific guidance regarding the ICO’s expectations? 


We understand that not-for-profit organisations (charities) are not permitted to use the soft-opt-in while receiving charitable donations, but the rationale for this is 
unclear. Many charities do not understand why this is and feel penalised. The outcome is that most charities feel compelled to go down the route of opt-in consent for all 
data sources/channels, rather than some data touchpoints using consent and others using SOI or legitimate interests. This has an impact on their ability to grow the size of 
their marketable database and build engagement with their supporters. Could we ask the ICO to reconsider this exemption in the updated Code. 


Service messages 
We would like ICO to give clearer guidance on what constitutes a service message, what constitutes a marketing message and raise awareness of where the lines must be 


drawn to prevent the overlap of such communications. Royal Mail have created our own internal guidance which we are happy to share with ICO. A common question is 
around newsletters and whether they are viewed as a service or marketing and how an appropriate assessment should be made. 


Preference Centres 

There is a requirement for guidance on launching & operating Preference Centres. It has been noted that organisations cannot communicate with dissenting customers 
with regard to checking the validity of their preferences. It would be beneficial to obtain the ICO view on how if a preference centre is created it can be communicated to 
all the customers in the database without penalty, as it is a mechanism which provides the customer choice and control over data that is promoted by the GDPR. 


Social marketing & online remarketing 

Targeting advertising on social media using personal data has become common practice. Please can you provide guidance on how to conduct this is in a compliant manner. 
Guidance should also be provided regarding the practice of online remarketing, i.e. remarketing to website visitors using personal data to target relevant advertising when 
they browse on other websites or mobile apps. 


Marketing supply-chain management 

There is a requirement for more guidance for marketers regarding controller responsibilities when outsourcing to processors. Could the ICO contextualise the guidance for 
the marketing environment? For example, it would be helpful to confirm what responsibilities and organisation has when outsourcing to a Telemarketing bureau, a mailing 
house, software provider, data service provider, agencies, etc. 


Q2 Apart from the recent changes to data protection legislation are there other developments that are having an impact on your organisation’s direct marketing 
practices that you think we should address in the code? Yes/No 


Yes 
Q3 If yes please specify 


We are looking for further clarification with regard to post-GDPR requirements when processing data via cookies or similar technologies, such as transparency and consent. 
This is a very complex area and the ICO guidance has not been updated for some time. Many organisations are confused how GDPR works alongside PECR and if they need 
to move from implied consent to explicit consent and it is apparent when visiting websites that a number of different approaches are used. In addition, there have been 
numerous industry discussions around the use of browser settings for controlling cookie settings by the data subject and it would be useful to get the latest view on this. 
There is also a need to clarify data controllers’ responsibilities with regard to the complex area of reviewing 1°* & 3 party cookies on their website(s). 


Q4 We are planning to produce the code before the draft ePrivacy Regulation (ePR) is agreed. We will then produce a revised code once the ePR becomes law. Do you 
agree with this approach? Yes/No 


Yes. We believe that organisations would benefit significantly from ICO guidance as a matter of priority. In our view the ICO should not wait for the forthcoming ePrivacy 
Regulations to be completed, not least because it is unclear when the Regulation will be agreed and what the final text will look like. ePrivacy is outside of ICO’s control. 
There were a number of concerns around late guidance from the ICO over consent in the lead up to GDPR and updated information is now required to assist businesses to 
fully understand the ICO’s position on many marketing areas. It is particularly hard for SMEs which may not have a Legal or Compliance function in-house. 


Prior to publishing an updated DM Code the risk remains that organisations may either become too cautious in their approach to compliance, which could damage business 
revenues/profitability, or they may act in ways which the ICO may later decide are non-compliant. Most organisations want to act responsibly and in line with ICO 
guidance. 


Q5 If no please explain why you disagree 
N/a 
Q6 Is the content of the ICO’s existing direct marketing guidance relevant to the marketing that your organisation is involved in? Yes/No 


Yes 


Q7 If no what additional areas would you like to see covered? 

More case studies & examples would be useful for example good and bad industry practice to bring the Direct Marketing Code to life, perhaps using some of the 
enforcement cases the ICO has dealt with to highlight the learning. We would like to see more detail on specific types of sales & marketing. For example, e.g. exhibitions & 
events that are key interactions with business customers with less formal/structured approaches to data collection. The current code covers examples of customers 
enquiring about products/services as sufficient for re-contact however it would be good to clarify rules around registration for an exhibition/event, leaving a business card, 
scanning barcodes, etc 


Q8 Is it easy to find information in our existing direct marketing guidance? Yes/No 


No 


Q9 If no, do you have any suggestions on how we should structure the direct marketing code? 


e The structure is relatively easy to follow. However, the code is long and can be quite negative in tone, e.g. says what you must not do. It would be helpful to adopt a 
more positive & pragmatic approach which helps organisation to know how to comply. 


e It should be helpful and easy to understand for marketers of large businesses and SMEs with less jargon and more examples from various sectors around the use of 
data across multiple channels. Diagrams, flowcharts checklists and tables are very useful. 


e Download needs to be more prominent and the document should be version controlled with clear indications of updates. 


e It should be similar to DMA guide styles. Marketers are not GDPR specialists and so the guidance must be written in their right language. It should be easy to adopt 
guidance without having to refer to DPOs and legal for clarification (for example, on collecting and sharing data). 


e Short and long form versions of the Code would be helpful. 


e The code should also try to make clear what the specific risks are and how these may result in a negative outcome for the data subject. To properly understand people 
need know why as well as what. We recognise it’s quite a delicate balancing act to provide guidance on what is / is not acceptable in a positive tone of voice whilst also 
making it clear what potential harm may result if organisations don’t comply. 

Q10 Please provide details of any case studies or marketing scenarios that you would like to see included in the direct marketing code. 

As above. It would be helpful to have more case studies/examples to illustrate similar products and services, ones that are not Retail focused and more aligned to 

online/digital relationships. A case study to illustrate each section would bring it to life. 


Q11 Do you have any other suggestions for the direct marketing code? 


We would suggest you give examples where it is acceptable / not acceptable to contact consumers about re-permissioning or updating preferences. 
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